Hello
My Linux system (RedHat 6.2) has been hacked.I had reports from ISP that many networks were receiving many illegal probes from my system.I ran ps and found the linsniffer process running in my process list.I have killed the process.Can anyone tell me how to eradicate all the process completely from my system

Regards
Saravaann

I'm sorry to hear this. For now: get the box off the net. Even after investigating what was compromised etc, etc there should be no other clear answer than to save your *human readable data* and rebuild your box from scratch, for the simple reason you can't possibly trust the system anymore. More info: CERT Steps for Recovering from a UNIX or NT System Compromise.

Go for a recent release of your distro, or if you can't due to legacy apps etc etc, at least make sure you upgrade your daemons to a known-good version. Try to keep up to date with your vendors/general vulnerability issues with Linux. I could make a list of what to do to secure your boxen more, but since I'm in --recycling-mode try these links to get a better grip on securing your box: CERT UNIX Security Checklist v2.0, CERT's Techtips,
LASG: Linux Administrator's Security Guide,
Security Quick-Start HOWTO for Linux,
Armoring Linux,
The SANS Reading room: Linux issues,
Bastille Linux Hardening System,
Elementary security for your Linux box.

HTH

HOLD UP THERE!!

don't destroy your box yet. get a good suite of forensics tools and figure out how they got in. Then you can safeguard against that same attack. Just rebuilding is pointless unless you learn from it.

I suggest the coroners toolkit, but any forensics toolkit should suffice.

post how they got in if it's really unique so we all can learn.

What's a coroners and forensics toolkit.

First let me tell u my setup,my Linux machine is in a network of 80 machines which also has a router.For business reasons any requests coming on Port 80 would be redirected to the Linux machine,so within the network the machine can be accessed by its Ethernet ip of my machine,people outside the network will access using a global ip.After my system was hacked i found 2 files in the network-scripts file ifcfg-eth0(normal file) and
ifcfg-eth0:0 this file had the global ip as its content.Now i deleted the ifcfg-eth0:0 but i still i was able to locate it.Know i restarted my system and i found that eth0 was enabled in prosmicous mode.Then i downed eth0:0 using ifconfig then this ifcfg-eth0:0 could be seen nowhere.
Dear orgcandman
Can u give the details of the forsenic tool kit where could i find this????

forensics toolkits just analyse your system for attacks, and show you the contents of really important files. they allow you to go in and read raw sectors off the disk and look at all of the access logs on a *nix machine. of course, unless you have auditing software (like tripwire or some other file modification detector) the forensics kits aren't gonna be too much help. However, getting chkrootkit and a forensics kit should help you diagnose exactly how your system was attacked.

whoops...most importantly forgot where to get a forensics toolkit.

http://www.porcupine.org/forensics/tct.html

will be the coroners toolkit

IMHO, the best forensics toolkit...period.

Dear orgcandman
Thank u fr the info.I just have RH6.2 installed nothing more than that i will try and get bacl to u
Saravanan

Not exactly right. TCT will only show you what's there, but you'll have to do the analysis yourself based on your knowledge of for instance use of MAC-times, snippets of code you find, running strings on binaries, the state of the system, your knowledge of blackhat kinda stuff etc, etc. Btw, TCT requires practicing with it *beforehand*.

File integrity scanners like Aide, Tripwire, Samhain and the like will only be usefull if you kept it current, and if the databases where kept on readonly media (same for the rpm database).

Chkrootkit is a really invaluable tool, but is useless if your system is (suspected) compromised: compile it elsewhere and use static binaries, or better, run it off the Biatchux CD (sourceforge) which has chkrootkit on it (0.35 IIRC), TCT *and* Perl.

Again, if you can't *trust* (keep control) your system, and you've had good indications of that, (make a copy with "dd" of the disk to another drive/host for later examination) and consider reinstalling from scratch.